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Cryptography is all around us 



online 

shopping 




Bank of America ^ 

Bank Menu 

1. Accounts 
2 . 641 Pty A E* Balts 

3. Transfer Funds 

4. Locations 

Sign Out 


m Secure Atm 



internet 

banking 



electronic passports 



playstation 3 


blu-ray player 
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Value of Cryptography 



The Security Division of EMC 


$2.1 billion 
1,300 employees 





$5.7 billion 
1,000 employees 



$39 billion 
18,000 employees 


amazon.com 

$82 billion 
34,000 employees 


Source: Wiki & NASDAQ 3/40 
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What is Authenticated Communication? 



How do we enable authenticated communication? 
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Asymmetric Cryptography 
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RSA Keys 


The protocol is based on two number pairs, called keys 

1 .Choose two large prime numbers p & q 

2. Compute n = p*q 

3. Choose two numbers, d & e such that: 
d*e = 1 mod ((p-1 )(q-1)) 

Effect: m de mod n = m mod n 

4. Keep (d,n) as the secret private key 

5. Advertise (e,n) as the public key 



Public key (e,n) 





RSA Authentication 


Correct Authentication: 

• Server challenge: 

s = m d mod n 

• Client verifies: 

m = s e mod n 




Public Key 
(e,n) 
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Are These Algorithms Secure? 


(i.e., cryptanalysis) 


Attacking the 
algorithm 

by guessing key 


135066410865995223349 
603216278805969938881 
475605667027524485143 
851526510604859533833 
940287150571909441798 
207282164471551373680 
419703964191743046496 
589274256239341020864 
383202110372958725762 
358509643110564073501 
508187510676594629205 
5636855294 .... 


2009: Researchers brute 
forced a 768bits key over 
several computation years 


Attacking the implementation 


Side-channel 


by monitoring side effects 































Attacks via Transient Faults 


• Transient fault: 

a short perturbation of a logic value in a circuit: 

• Typically lasts <1 clock cycle 

• If latched, can cause permanent computation errors 

• Transient faults occur naturally in silicon due to 

• Cosmic rays 

• Alpha particles 

• Location, density, frequency cannot be controlled 


• This talk’s focus: 



Is it possible to perpetrate a security attack 

via transient faults? 
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Fault-Based Attacks 


Cause errors in the system: a faulty computer may leak secrets 



• Theoretical on some RSA implementations 

• Chinese Remainder Theorem 

• Left-to-right exponentiation 

“On the Importance of Checking Computations”, Boneh et al. 


• Demonstrated on simple components 
• Smart Cards & Microcontrollers 

“Fault attacks on RSA with CRT: Concrete results and practical countermeasures”, Aumuller et al. 

“A practical fault attack on square and multiply”, Schmidt et al. 
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Faulty RSA Authentication 


Correct Authentication: 

• Server challenge: 

s = m d mod n 

• Client verifies: 
m = s e mod n 


Private Key 

(d,n) 




Public Key 

(e,n) 


Faulty Server: 

s != m d mod n 



Private Key 
(d,n) 













































Our Experimental Platform 




Voltage controller 
to inject faults 


Own SSL 


debar 


Leon3 


ylRTEX 

L^rPRO 
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How I Transported It To Black Hat 
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Correct Sequential Circuit 


How can we inject faults in a digital system? 
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Faulty Sequential Circuit 


How can we inject faults in a digital system? 



j 

The lower the voltage, the less energy the 
electric signals in traversing the logic cloud 
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Computing: s=m d mod n 


Fixed Window Exponentiation, used in OpenSSL 


The algorithm partitions the exponent into windows: 



= H(moinoooll . jiiomooHolol 


S=1 

for each window: 

for each bit in window: //4times 
s = (s * s) mod n 
s = (s * m^d[window]) mod n 
return s 
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Computing: s=m d mod n 


d=214= 1101, ,0110, 

^ Y ' v Y 

window 1 window 2 



s=l 


for each window: 

for each bit in window 

, , . „ s= (-■-(m 1101 ) 2 ) 2 ) 2 ) 2 

s = (s * s) mod n x x / / / / 


s = (s * m"d[window] ) mod n s = ITI^^ 


return s 


s= (■••(m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 


s = (...( m iioiyyyy) m ono 
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Faulty Signature: s!=m d mod n 


d=214= 1101, ,0110, 

* y ' V y 

window 1 window 2 



s=l 


for each window: 


for each bit i 

s = (s * s) mod n 



fjHnw / /4f imoc 

s = (-(m 1101 ) 2 ) 2 ) ±2W 


s = (s * m"d[window]) mod n §= 
return s 


s = (-(m 1101 ) 2 ) 2 ) ± 2 <) 2 ) 2 )m 0110 
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Retrieving the Private Key 


• The attacker collects the faulty signatures 


Private Key 




Public Key 


• -j 
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Reconstructing the Signature 


The private key is recovered one window at the time, 
guessing where and when the fault hits 



For each window value to be guessed and signature we test: 

• 1024 error positions 

• 2 possible error values (0—>1 or 1—>0) 

• 6 squaring iterations 
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Offline Analysis 


With a sufficient number of corrupted signatures the 
attack is polynomial w.r.t. the length of the key 



• Performing this check takes about 100 seconds 

• In the worst case we have 2 6 values to check! 

• If no faulty signature can confirm the value of the guess, 
we must extend the window 
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The Whole Truth About This Search 


But, how do we deal with the unknowns d 0 , d^ d k _ 2 ? 






We can reduce the red part to m by: 

1. Multiplying both sides by (((m dk ) 64 ) m dki ) 64 

2. Raising both sides to the e power 


(S ((( m d ‘) 64 ) m d *-<) 64 ) 



I 

= (■■■ ( m d '‘) 64 ) m d '-<) 2 ) 2 ) 2 ± 2 f ) 2 ) 2 ) 2 ) e m 


Now everything is in terms of known or to-be-guessed terms! 
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Our Setup 


• Faults manifests on the multiplier of the server’s CPU 
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Fault Injection Mechanisms 


How to make hardware fail: 

■S Lower voltage causes signals to slow down, thus missing 
the deadline imposed by the system clock 

• High temperatures increase signal propagation delays 

• Over-clocking shortens the allowed time for traversing the 
logic cloud 

• Natural particles cause internal signals to change value, 
causing errors 


All these sources of errors can be controlled to tune the fault 
injection rate and target some units in the design 
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Fault Injection 


A corrupted signature leaks data if only one 
multiplication is corrupted by a single bit flip 
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Faulty products (%) 







Occurrences 


Fault Distribution 


The attacked algorithm uses 6-bit windows: any of the 6 
squaring iterations has the same probability to fail 



Squaring Iteration 
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Fault Position 


The faults affects some bit positions more than others, 
proving that the critical path of the multiplier is failing 
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Offline Analysis 


• In practice 40 bit positions typically affected by faults 


—► the computation time is reduced to 2.5 seconds 
• Analyzing 8,800 corrupted signatures requires 1 CPU- 



• Signatures can be checked in parallel 

• Using 80 servers the 1024-bit key was retrieved 
in 104 hours 






































Physical Attack 
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Fault Injection Mechanisms 


How to make hardware fail: 

• Lower voltage causes signals to slow down, thus missing 
the deadline imposed by the system clock 

•S High temperatures increase signal propagation delays 

• Over-clocking shortens the allowed time for traversing the 
logic cloud 

• Natural particles cause internal signals to change value, 
causing errors 


Course project by: 

Armin Alaghi, William Arthur, Prateek Tandon 
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Temperature-Induced Faults 
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#Key Bits Revealed (128-bit RSA) 
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Challenges 


• Controlling temperature 

• Thermal runaway when attacking 1024-bit 

• Solution: Use heat sink, moderate temperature 

• Runtime is an issue 



• Extracted 30% of the private key (283/1000 corrupted, 91 
useful messages) 
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Conclusions 


• Transient faults can leak vital 
private key data 



• Fault-based attack devised for OpenSSL 0.9.8i’s 
Fixed Window Exponentiation algorithm 


• Attack demonstrated on a complete 
physical Leon3 SPARC system 


• Software fix using “blind”ing 

available in OpenSSL to protect against timing attacks 
- make sure to deploy 


Published: “Fault-based Attack of RSA Authentication” - DATE 2010 
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Take Away for the Security Conscious 


• Always keep OpenSSL and all cryptographic 
libraries updated 


Always make sure that the HW is working in 
proper conditions 

• Do not overclock 

• Cool the system properly 

• Avoid power fluctuations 


m 



A computer system operating outside its nominal 
conditions might not fail dramatically: however, 
silent data corruptions are even more dangerous 
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